The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-12-20T18:13:49Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40036FF101 Audit2022-12-20T18:13:49ZrichardFF101 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `59930a20119813ea25546eaca75dcc3bbc500039` ( `FIREFOX_RELEASE_101_BASE` )
- End: `856b9168439ef597dbd103cd1e2940a8ad110450` ( `FIREFOX_RELEASE_102_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `6a4737d1c043d71dfac67e270ee4afa4fb6c73b4` ( `v93.2.1` )
- End: `0302b89604bb29adb34fdcd710feabd3dd01992d` ( `v93.5.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `4eef6c129c9611b6927bd50a5a1620ede57744b1` ( `v101.0.0` )
- End: `95fe1972b83b518a70febc76cdf3e27d5cfa390f` ( `v101.0.9` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `02ca27633b10acbe4db08aecf9c0a12d83376fd9` ( `v101.0.0-beta.1` )
- End: `be90007a460cc7b06008f319447011b2dce76aaa` ( `releases_v101.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### 101 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=101%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1766401 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41147
- https://bugzilla.mozilla.org/show_bug.cgi?id=1661450 : @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41148
- https://bugzilla.mozilla.org/show_bug.cgi?id=1762576 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41149
- https://bugzilla.mozilla.org/show_bug.cgi?id=1753302 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41150
- https://bugzilla.mozilla.org/show_bug.cgi?id=1757823 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41151
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [x] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40711Review and expand the stakeholders we communicate major changes to2022-12-19T18:48:16ZdonutsReview and expand the stakeholders we communicate major changes to@richard has created this checklist as part of the release process (which is awesome):
```
### notify stakeholders
* [ ] Email tor-qa mailing list: [tor-qa@lists.torproject.org](mailto:tor-qa@lists.torproject.org)
* [ ] Provide links...@richard has created this checklist as part of the release process (which is awesome):
```
### notify stakeholders
* [ ] Email tor-qa mailing list: [tor-qa@lists.torproject.org](mailto:tor-qa@lists.torproject.org)
* [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
* [ ] Call out any new functionality which needs testing
* [ ] Link to any known issues
* [ ] Email Tails dev mailing list: [tails-dev@boum.org](mailto:tails-dev@boum.org)
* [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
```
And also:
```
### tor-announce mailing list
* [ ] Send an email to [tor-announce@lists.torproject.org](mailto:tor-announce@lists.torproject.org), using the same content as the blog post and subject "Tor Browser $version is released".
```
However it looks like we caught torbrowser-launcher unawares with the 12.0 release: https://github.com/micahflee/torbrowser-launcher/issues/659
We should take the opportunity to review how we notify external stakeholders during development, and expand this list to include Micah Lee & The Guardian Project at minimum (who don't necessarily have the time to read every tor-qa or tor-announce email).richardrichardhttps://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40077Document how to reproduce the "Total consensus weights across bandwidth autho...2022-12-14T13:57:05ZGeorg KoppenDocument how to reproduce the "Total consensus weights across bandwidth authorities"-graphOn https://metrics.torproject.org/totalcw.html we link to https://metrics.torproject.org/reproducible-metrics.html#servers for steps on how to reproduce the graph. However, https://metrics.torproject.org/reproducible-metrics.html#servers...On https://metrics.torproject.org/totalcw.html we link to https://metrics.torproject.org/reproducible-metrics.html#servers for steps on how to reproduce the graph. However, https://metrics.torproject.org/reproducible-metrics.html#servers is missing a section documenting the respective steps.https://gitlab.torproject.org/tpo/applications/team/-/issues/15Review and expand the stakeholders we communicate major changes to2022-12-09T16:55:11ZdonutsReview and expand the stakeholders we communicate major changes to@richard has created this checklist as part of the release process (which is awesome):
```
### notify stakeholders
* [ ] Email tor-qa mailing list: [tor-qa@lists.torproject.org](mailto:tor-qa@lists.torproject.org)
* [ ] Provide links...@richard has created this checklist as part of the release process (which is awesome):
```
### notify stakeholders
* [ ] Email tor-qa mailing list: [tor-qa@lists.torproject.org](mailto:tor-qa@lists.torproject.org)
* [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
* [ ] Call out any new functionality which needs testing
* [ ] Link to any known issues
* [ ] Email Tails dev mailing list: [tails-dev@boum.org](mailto:tails-dev@boum.org)
* [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
```
And also:
```
### tor-announce mailing list
* [ ] Send an email to [tor-announce@lists.torproject.org](mailto:tor-announce@lists.torproject.org), using the same content as the blog post and subject "Tor Browser $version is released".
```
However it looks like we caught torbrowser-launcher unawares with the 12.0 release: https://github.com/micahflee/torbrowser-launcher/issues/659
We should take the opportunity to review how we notify external stakeholders during development, and expand this list to include Micah Lee & The Guardian Project at minimum (who don't necessarily have the time to read every tor-qa or tor-announce email).https://gitlab.torproject.org/tpo/tpa/team/-/issues/40979document our fastly/CDN setup2022-11-30T19:55:45Zanarcatdocument our fastly/CDN setupso we have a CDN we use here, and it's not really documented. we have fairly good docs on the ~"static-component" system, but nothing on ~Fastly. we didn't even have a tag for it until #40978 was filed (and i made it).
so we should docu...so we have a CDN we use here, and it's not really documented. we have fairly good docs on the ~"static-component" system, but nothing on ~Fastly. we didn't even have a tag for it until #40978 was filed (and i made it).
so we should document:
* [ ] what we use fastly for
* [ ] how it's configured (e.g. `cdn-config-fastly.git`, `./tor-puppet/modules/roles/files/puppetmaster/update-fastly-ips`, static-component yaml file, probably more)
* [ ] what talks to it and why not everything is on there
* [ ] what our limits are
* [ ] contact information
* [ ] password management
basically make a full service audit.anarcatanarcathttps://gitlab.torproject.org/tpo/web/support/-/issues/280Discourage more running a browser in parallel to Tor Browser2022-11-30T16:52:28ZGeorg KoppenDiscourage more running a browser in parallel to Tor BrowserWe have https://support.torproject.org/tbb/tbb-17/ for answering the question about whether it is safe to running a different browser in parallel to Tor Browser.
It's correct that *Tor Browser's* privacy features are unaffected by that ...We have https://support.torproject.org/tbb/tbb-17/ for answering the question about whether it is safe to running a different browser in parallel to Tor Browser.
It's correct that *Tor Browser's* privacy features are unaffected by that but we should stress more the risk of linking both browsing activities.
Maybe something like
```
If you run Tor Browser and another browser at the same time, it won't affect Tor's performance or privacy properties. However, be aware that when using Tor and another browser at the same time, your Tor activity could be linked to your non-Tor (real) IP from the other browser, simply by moving your mouse from one browser into the other. Or you may imply forget and accidentally use that non-private browser to do something that you intended to do in Tor Browser instead.
```
Thanks to `ForMariosTheHacker` at h1 to point that out.GusGushttps://gitlab.torproject.org/tpo/core/tor/-/issues/25068Make HSIntro consistent with rend_service_descriptor_t.protocols2022-11-23T14:34:13ZteorMake HSIntro consistent with rend_service_descriptor_t.protocolsHSIntro supports protocol versions 3 and 4:
```
The "HSIntro" protocol handles introduction points.
"3" -- supports authentication as of proposal 121 in Tor
0.2.1.6-alpha.
"4" -- support ed25519 authentication keys w...HSIntro supports protocol versions 3 and 4:
```
The "HSIntro" protocol handles introduction points.
"3" -- supports authentication as of proposal 121 in Tor
0.2.1.6-alpha.
"4" -- support ed25519 authentication keys which is defined by the HS v3
protocol as part of proposal 224 in Tor 0.3.0.4-alpha.
```
But rend_service_update_descriptor() says "intro protocols 2 and 3":
```
/* Support intro protocols 2 and 3. */
d->protocols = (1 << 2) + (1 << 3);
```
I think we need to delete "2" here.
And rend_service_descriptor_t says "introduce/rendezvous" 0-3:
```
/** Bitmask: which introduce/rendezvous protocols are supported?
* (We allow bits '0', '1', '2' and '3' to be set.) */
unsigned protocols : REND_PROTOCOL_VERSION_BITMASK_WIDTH;
```
I think we need to delete "/rendezvous" and 0-2 here.
This seems to be a bug in 496fe68 in 0.2.5.3-alpha.https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40037FF102 Audit2022-11-23T13:44:36ZrichardFF102 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `856b9168439ef597dbd103cd1e2940a8ad110450` ( `FIREFOX_RELEASE_102_BASE` )
- End: `4960b7d420528392cc095c247a662670785b18b9` ( `FIREFOX_RELEASE_103_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `0302b89604bb29adb34fdcd710feabd3dd01992d` ( `v93.5.0` )
- End: `55cbbddfdcb4ec82d2850e0811e8675fea2686c2` ( `v93.7.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `2b414097d4f540948f67f62f57c5ddcb0e2789d9` ( `v102.0.1` )
- End: `cd19f9a6c5e26c4e57dda6e549a5c63ac7c042ea` ( `v102.0.14` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `cc68c965cbb29eb16244d242d433051327de5f48` ( `v102.0.0-beta.1` )
- End: `2ec252d5f5d09b3eb73840ce585453b7105a7a7d` ( `releases_v102.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### 102 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=102%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1767919 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41152
- ~~https://bugzilla.mozilla.org/show_bug.cgi?id=1770881 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41153~~ 102esr is unaffected: the Bugzilla ticket was wrong and then has been fixed
- https://bugzilla.mozilla.org/show_bug.cgi?id=1765167 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41154
- https://bugzilla.mozilla.org/show_bug.cgi?id=1751450 : @richard https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41155
where `$(FIREFOX_VERSION)` is the major Firefox version we are auditing (eg: '91')
Nothing of interest (manual inspection)
**OR** (foreach)**
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [ ] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/web/manual/-/issues/131Add new section - how to get help2022-11-11T14:18:01ZGusAdd new section - how to get helpWe have different support channels and bots on Tor. Let's list all of them on a new section.We have different support channels and bots on Tor. Let's list all of them on a new section.GusGushttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40029FF95 Audit2022-11-02T20:48:15ZrichardFF95 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `6c9b6e1483551f220cd409e4e584349bc74a8231` ( `FIREFOX_RELEASE_95_BASE` )
- End: `6a277ae5bdf6554793cd0da292a9c9ea804b4ed9` ( `FIREFOX_RELEASE_96_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `df1a47fde89f49201b1e839f960e8f16eb95a55d` ( `v87.1.0` )
- End: `5ceeb43598871a7d8550acc574a6a3fb93803ad7` ( `v87.3.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `ef09fecd91dfcbffb85d9f4907b76cc9e5a0b70e` ( `v95.0.0` )
- End: `93066a8f082fa2db3d38d361d0a538c438d2e1b8` ( `v95.0.15` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `9ab24a371b2dd51d18dab2f7f49facc6d2fd56ad` ( `v95.0.0-beta.1` )
- End: `d01642a0b1e3819cd2802b42a8a6aae43eb5ff12` ( `releases_v95.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### Review List
#### 95 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=95%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1732792 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41125
- https://bugzilla.mozilla.org/show_bug.cgi?id=1734262 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41126
- https://bugzilla.mozilla.org/show_bug.cgi?id=1726524 : @henry https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41127
- https://bugzilla.mozilla.org/show_bug.cgi?id=1734331 : @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41128
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [x] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/64Organize documentation about Onion Services UX improvements2022-11-02T17:51:03ZSilvio RhattoOrganize documentation about Onion Services UX improvements* [x] Compile existing proposals related to Onion Services usability.
* [x] Merge wiki pages/discussions in a single, canonical place.
* [x] Organize and summarize.
* [x] Discuss how proposals can be compared.
* [x] Discuss how proposals...* [x] Compile existing proposals related to Onion Services usability.
* [x] Merge wiki pages/discussions in a single, canonical place.
* [x] Organize and summarize.
* [x] Discuss how proposals can be compared.
* [x] Discuss how proposals can be combined in incremental roadmaps.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhatto2022-10-31https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40030FF97 Audit2022-11-01T21:23:44ZrichardFF97 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `e6b83e1727b7e9a6847e6e15bdb935d9937099e4` ( `FIREFOX_RELEASE_97_BASE` )
- End: `82764d45153d175f4686ead7aac977810fe1fd1b` ( `FIREFOX_RELEASE_98_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
**OR**
### foreach PROBLEMATIC_HASH:
#### $(PROBLEMATIC_HASH)
- Summary
- Review Result: (SAFE|BAD)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `df53ad867be7d79899e05797533cd624f1eeb2a2` ( `v90.0.1` )
- End: `17942945873cdb8be56a9316d3cb8a611b3ef321` ( `v91.1.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `604152ef532c33d8fc2412fd6d21cf29e9764c51` ( `v97.0.0` )
- End: `0465a6f809adafd5429c230e890e7f4911f0070e` ( `v97.0.13` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `84d4a07c0067f7c51757b157c79658a891870d95` ( `v97.0.0-beta.1` )
- End: `16042ab2a16a64c9c94c8c01ea93578062415ac5` ( `releases_v97.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### Review List
#### 97 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=97%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1741428 @richard https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41130
- https://bugzilla.mozilla.org/show_bug.cgi?id=1738983 @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41131
- https://bugzilla.mozilla.org/show_bug.cgi?id=1432983 @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41132
- https://bugzilla.mozilla.org/show_bug.cgi?id=1745092 @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41133
Nothing of interest (manual inspection)
**OR** (foreach)**
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [ ] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40035FF100 Audit2022-10-26T23:12:49ZrichardFF100 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `cd4dcd48476d8cb29f4770f6fb659e440ff84345` ( `FIREFOX_RELEASE_100_BASE` )
- End: `59930a20119813ea25546eaca75dcc3bbc500039` ( `FIREFOX_RELEASE_101_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `21f2904245a956366cae798e16035156c8232cad` ( `v93.0.2` )
- End: `6a4737d1c043d71dfac67e270ee4afa4fb6c73b4` ( `v93.2.1` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `ba604c57073b3ed91cc863e5d9a7aa9d7e7a4b95` ( `v100.0.0` )
- End: `7b24cbd76371562a9e9a842ca351dae7599d53f3` ( `v100.0.12` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `89d64fc0e8204b6f2f442a656108ee2dc9bffbef` ( `v100.0.0-beta.1` )
- End: `827b01341f76e9ee8c152260992eb5f22a775791` ( `releases_v100.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### 100 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=100%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1760621 : @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41142
- https://bugzilla.mozilla.org/show_bug.cgi?id=1758781 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41143
- https://bugzilla.mozilla.org/show_bug.cgi?id=1752906 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41144
- https://bugzilla.mozilla.org/show_bug.cgi?id=1759592 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41145
- https://bugzilla.mozilla.org/show_bug.cgi?id=1699658 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41146
Nothing of interest (manual inspection)
**OR** (foreach)**
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [ ] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/community/support/-/issues/40061Define a process to evaluate docs mirrors availability in China2022-10-26T20:47:50ZGusDefine a process to evaluate docs mirrors availability in ChinaAs part of S96 work, we want to track if/when a Tor documentation mirror is blocked in China, so we can advertise a new one.As part of S96 work, we want to track if/when a Tor documentation mirror is blocked in China, so we can advertise a new one.Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & TibetGusGushttps://gitlab.torproject.org/tpo/community/l10n/-/issues/40057recreate graphics in svg to offer up for translation2022-10-26T20:41:06Zemmapeelrecreate graphics in svg to offer up for translationthe graph at https://community.torproject.org/training/resources/all-about-tor/#/0/11 , which is located at https://community.torproject.org/static/images/training/slides/all-about-tor/tor-browser-features.png, should be recreated on svg...the graph at https://community.torproject.org/training/resources/all-about-tor/#/0/11 , which is located at https://community.torproject.org/static/images/training/slides/all-about-tor/tor-browser-features.png, should be recreated on svg format or in some way be translated for the other locales of the page.
Same with the graph at https://community.torproject.org/training/resources/all-about-tor/#/0/7
the first graph is:
![tor-browser-features](/uploads/ec46350e3cda8656103dc96f616e002f/tor-browser-features.png)
and the second (added to ticket on Feb. 17) is:
![how-tor-relays-work](/uploads/48e17c684d8e73ede77d97dbc839757f/how-tor-relays-work.png)emmapeelemmapeelhttps://gitlab.torproject.org/tpo/community/training/-/issues/21Update Tor Browser screenshots on Tor training materials2022-10-26T20:37:09ZGusUpdate Tor Browser screenshots on Tor training materialsThe UX Team did significant changes on Tor Browser 11 UI and we will need to update our training materials.The UX Team did significant changes on Tor Browser 11 UI and we will need to update our training materials.Sponsor 9 - Phase 6 - Usability and Community Intervention on Support for Democracy and Human RightsGusGushttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40026FF99 Audit2022-10-25T22:48:05ZaguestuserFF99 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `99300ebd4a4a6440b6a11a80108f1ed6d867cdb4` ( `FIREFOX_RELEASE_99_BASE` )
- End: `cd4dcd48476d8cb29f4770f6fb659e440ff84345` ( `FIREFOX_RELEASE_100_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `1fcdb5984be6e0cc460d00cde44c49b7e3ac1ec6` ( `v92.0.0` )
- End: `21f2904245a956366cae798e16035156c8232cad` ( `v93.0.2` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `4154c161f0949fdf3e94780c8b5ac360722e909c` ( `v99.0.0` )
- End: `2cf4dbe50f6810d373aeb550e722fabfc6816f56` ( `v99.0.10` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `f4a5a4e471d17be791d73fddc63ebdfb734368e4` ( `v99.0.0-beta.1` )
- End: `2421d3731e49faf5e2b9d3d4aa41bdbf3e81459a` ( `releases_v99.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### 99 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=99%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1755354 @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41138
- https://bugzilla.mozilla.org/show_bug.cgi?id=1637922 @richard https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41139
- https://bugzilla.mozilla.org/show_bug.cgi?id=1751366 @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41140
- https://bugzilla.mozilla.org/show_bug.cgi?id=1675054 @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41141
Nothing of interest (manual inspection)
**OR** (foreach)**
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [ ] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40025FF98 Audit2022-10-24T20:33:26ZaguestuserFF98 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `82764d45153d175f4686ead7aac977810fe1fd1b` ( `FIREFOX_RELEASE_98_BASE` )
- End: `99300ebd4a4a6440b6a11a80108f1ed6d867cdb4` ( `FIREFOX_RELEASE_99_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `17942945873cdb8be56a9316d3cb8a611b3ef321` ( `v91.1.0` )
- End: `1fcdb5984be6e0cc460d00cde44c49b7e3ac1ec6` ( `v92.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `6f6ed0ca80410e42e8781bcf856e686ecbff2f63` ( `v98.0.0` )
- End: `a31f2c481a7e220ca87affd8cd88fcb42b1624c1` ( `v98.0.13` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `6c290430adc9af36e5123a78360a602bb5509c6c` ( `v98.0.0-beta.1` )
- End: `0df2c648ab38682569e823b2140b945a0d7d6a9b` ( `releases_v98.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Ticket Review ##
### 98 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=98%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1749501 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41134
- https://bugzilla.mozilla.org/show_bug.cgi?id=1749323 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41135
- https://bugzilla.mozilla.org/show_bug.cgi?id=1749635 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41136
- https://bugzilla.mozilla.org/show_bug.cgi?id=1751170 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41137
Nothing of interest (manual inspection)
**OR** (foreach)**
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [ ] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40024FF96 Audit2022-10-24T20:28:29ZaguestuserFF96 Audit# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java...# General
The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
## Firefox: https://github.com/mozilla/gecko-dev.git
- Start: `6a277ae5bdf6554793cd0da292a9c9ea804b4ed9` ( `FIREFOX_RELEASE_96_BASE` )
- End: `e6b83e1727b7e9a6847e6e15bdb935d9937099e4` ( `FIREFOX_RELEASE_97_BASE` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
#### e88ab3dace9ad1c671c6c37a5aa1a3652e754544
- Some windows proxy stuff we need to check
- Review Result: (SAFE|BAD)
---
## Application Services: https://github.com/mozilla/application-services.git
- Start: `5ceeb43598871a7d8550acc574a6a3fb93803ad7` ( `v87.3.0` )
- End: `df53ad867be7d79899e05797533cd624f1eeb2a2` ( `v90.0.1` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
## Android Components: https://github.com/mozilla-mobile/android-components.git
- Start: `ea5bd2687c9b64245ea8e3cdcb84faa5d87d540a` ( `v96.0.0` )
- End: `0178a6fde98fa8c76885d67a2362f2ca310b67fd` ( `v96.0.15` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
**OR**
## Fenix: https://github.com/mozilla-mobile/fenix.git
- Start: `a7afdb776ca202bf5eafc29d6a84f047c1609e0f` ( `v96.0.0-beta.1` )
- End: `abe11c163d14fab17bdcf8aebbef2de2a3360032` ( `releases_v96.0.0` )
### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust
Nothing of interest (using `code_audit.sh`)
**OR**
## Ticket Review ##
### Review List
#### 96 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=96%20Branch&order=priority%2Cbug_severity&limit=0
- https://bugzilla.mozilla.org/show_bug.cgi?id=1740840 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41129
### foreach PROBLEMATIC_TICKET:
#### $(PROBLEMATIC_TICKET)
- Summary
- Review Result: (SAFE|BAD)
## Regression/Prior Vuln Review ##
Review proxy bypass bugs; check for new vectors to look for:
- https://gitlab.torproject.org/groups/tpo/applications/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Proxy%20Bypass
- Look for new features like these. Especially external app launch vectors
## Export
- [x] Export Report and save to `tor-browser-spec/audits`Sponsor 131 - Phase 3 - Major ESR 102 Migrationrichardrichardhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40937CI for wiki-replica is broken2022-10-24T20:11:50ZJérôme Charaouilavamind@torproject.orgCI for wiki-replica is brokenSince the markdownlint project on GitHub has [updated](https://github.com/markdownlint/markdownlint/commit/865ab4408132de980baddb9448047f411f4e3325) their docker image a week ago, the [wiki-replica CI](https://gitlab.torproject.org/tpo/t...Since the markdownlint project on GitHub has [updated](https://github.com/markdownlint/markdownlint/commit/865ab4408132de980baddb9448047f411f4e3325) their docker image a week ago, the [wiki-replica CI](https://gitlab.torproject.org/tpo/tpa/wiki-replica/-/jobs) is unable to run any tests because the container bootstrap is failing with:
> ERROR: Job failed (system failure): Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/bin/bash": stat /bin/bash: no such file or directory: unknown (exec.go:78:0s)anarcatanarcat